Accelerating Snort with PF_RING DNA

Since some time, PF_RING includes a DAQ (Data AcQuisition library) module for the popular Snort IDS/IPS. With respect to Linux AF_PACKET, the use of PF_RING significantly accelerates all snort operations. We have recently created a new DAQ module that adds native PF_RING DNA support, further accelerating the vanilla PF_RING DAQ module from 20 to 50%. The support of DNA in addition to greater speed, also has the advantage of exploiting symmetric RSS, so that you can run one snort instance per RX queue and be sure that such instance will process a coherent set of packets, property that does not hold with the standard RSS. This is the key for scalability on multi-core systems.

Conceptually the DNA DAQ module is similar to the PF_RING DAQ module in terms of command line options, so users familiar with it can immediately use the new DAQ module. In order to use DNA DAQ you need a DNA-aware adapter.

You can get PF_RING DNA DAQ on the ntop shop site for a little fee that allows us to maintain and develop the code. Universities and research institutions can contact us to get it at no cost.